I get nervous when I see HTTP_REFER and (unqualified) security mentioned together.

Leaving aside the fact that the Referer header is trivially spoofed in a client, many "personal firewalls", proxies and other internet security software will remove or otherwise anonymise the the Referer header: the HTTP Specification makes the suggestion that it might be removed.

I know all to well the many ways referers can be spoofed.
This is way the code has settings that can change what you want to check for a page.
The main action that should be used is the QUERY_STRING encoding, witch can secure the data in the QUERY_STRING from being tamperd with. The QUERY_STRING encoding can be checked allown or if you want to increace the security check you can give a matching referer and/or check the referer encoding witch was the last QUERY_STRING encoding.
1) This code can be use to stop anyone from tampering with your url's
2)This code can be used to secure one page to another.
3) this code can be used to add an experation to links made.
4) this code can be used to only allow the one that requested the link encoding to work for.
has more uses....